So it turns out that Shodan - a kind of multi-protocol Google-alike search engine for metadata and protocol headers - has indexed a bunch of Onion sites which were configured to leak their (onion) hostnames into protocol headers.
https://www.shodan.io/search?query=.onion%2F
This is... tragic, perhaps, and avoidable to varying extents (eg: my proposed setup process*) but the situation also possibly presents an opportunity for anyone who has identified addresses of sibyl/other naughty tor-infra-impacting activity, to maybe check some logs and see if any badly-configured onions were also hosted on the same addresses/subnets, get some concept of what hidden services were hosted there, and what they may have been up to?
If people think onionland is some errorproof perfect configuration zone, free from scam, free from agents, free from discovery, free from all manner of trickery, buggery, debuggery, bauchery, exploit, or the bore of ever September, and so on.... nope, it's been quite the opposite since day one. That people are only recently studying finding and publishing these things, claiming as news twatter to a hat, is rather amusing. And of course such work is fine endeavour and report as well. Have fun.